From patchwork Tue Dec 13 06:23:03 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 32653
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp2662330wrr;
        Mon, 12 Dec 2022 22:26:31 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf570R+CnVFyeKSZAfn2qhvKfvxPNyO+KkVH9tLLNAJoK1rJ1er6lelfZ+v0e11n8SKWaCzV
X-Received: by 2002:a17:907:a504:b0:7c1:92b2:fa9e with SMTP id
 vr4-20020a170907a50400b007c192b2fa9emr337041ejc.59.1670912790981;
        Mon, 12 Dec 2022 22:26:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670912790; cv=none;
        d=google.com; s=arc-20160816;
        b=MTYVSyouvLcerZBN6qD+6y6nb5tPk/eNbxaWesHxR2ShysBG1BPTSFd7qv0MkraWwS
         kwZ9v+DisfmEGbScpxx9rRuSVQV8JYDQxgu8TlhXo/v6okQDv4Op6vz8YsjH99jhr4vH
         tFyffXP7crHcRV8dN5lqrUsRCSjxfmDM+47ywYAhPTtoIbWuau53nFhJZR+H9PqD4/hX
         FM56NN+vni1RBCnxutRDpQqGT7S30VpTKtMqFz8ei+jRrfKg5ylvqhTKI6SzUVnmCQ8+
         LgR68a2JTPNUSMOgVM+6Yve4Y87p49RK6z7ItdLJ87wHn1LWAOx3MhMVubOpZlKaSRWV
         nBKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:reply-to:dkim-signature;
        bh=1fJyVuk5cBWctfFgX8J0LHaIGn/Pz35XRlBWLsFAwFo=;
        b=d5HXiEyfHBZVIi60Jqv1tF+Xo6/DqXxr6puGB+P4dtrHT2ax4T3PbEMAd89Dh4BDPQ
         e4+IWeTu9B8QCnufx74Q2ph/8Jx+/rYzAuy6lmB2fnGp5Xluw+Glhhbsu97gT8FGKARu
         8RtU6pLtsqRq8Yn2X6z4zqudCFK8Uz5BxiNEs3RmuYfTIJBWlTI52dkwKRJ9nteUXF27
         P/XlY8hhouwQott6I0Ws2+Kco0SK+x40zKi2cio9Pp7vYeZBhQL927tUQ9hVReL3vjwq
         qWvJItuBCev+TI2aPsJob8zIKX3Mo9sX2ziv+mToiqXAj8/K/BRBikkwI3ZGrym6437V
         Ys5g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=pWIRAVY8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 e22-20020a17090658d600b0077951929340si6380329ejs.271.2022.12.12.22.26.07;
        Mon, 12 Dec 2022 22:26:30 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=pWIRAVY8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234516AbiLMGXT (ORCPT <rfc822;jeantsuru.cumc.mandola@gmail.com>
        + 99 others); Tue, 13 Dec 2022 01:23:19 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54822 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234405AbiLMGXN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Dec 2022 01:23:13 -0500
Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com
 [IPv6:2607:f8b0:4864:20::1049])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB8081EC50
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Dec 2022 22:23:10 -0800 (PST)
Received: by mail-pj1-x1049.google.com with SMTP id
 ep17-20020a17090ae65100b00219702c495cso1358312pjb.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Dec 2022 22:23:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=1fJyVuk5cBWctfFgX8J0LHaIGn/Pz35XRlBWLsFAwFo=;
        b=pWIRAVY8qUMINrhedsB2/PmbsrFnyh4TisMaaC9CPQ20xkuuDOaUte7f+XRNNJFMTe
         MBMhU0mCMZSRGJH1Nyb6yw2jHYjWeiAfvWTeqm7sdpHGhOZlnoR4/4Fc/mG4BgLY5R6H
         YZ5JxUAyNCfuTt6n4myOLQuWm/qS/NnFle12WWCC68IcJ3dWPfcw9aWGjS4ZQdCKu2bF
         U0wl3rOTx2NoYkUQ++L3NjBgr/FdcRoW7q0pa/iqOerMgE+1TtzpMkRSYqfN971TujwR
         pf/sRZxcShIQk+eF10np3I6DvSwCtpIzaUSOM0Z8BHFHbom/finCGFHxxOQEZ0Ab4e3U
         6iAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1fJyVuk5cBWctfFgX8J0LHaIGn/Pz35XRlBWLsFAwFo=;
        b=Ufu8IYC1cu1wT+3J5RZrlO4kGoQ8x91mYM3EN3UJb9hqC3akqaghULQLh+0aXHy8Jq
         C0b+u8wptXgf/5ny9bCraDQHJPEZGb1zZUTpadckg7esGs5E4/oyEyHiGLNRod0icM5f
         V3KoJboAt7siKUxcdJ4DrCKspMsQC9c99boLpWEINVZpsacVFxdARaU14oEHvCs8zX5M
         qvXZp+zNEtkw+Pw940MWKACrbaPZSIEiD4MweW4hZ+Yohhda7Mp2JvmEby/623dabbIp
         ND/KxvVE4SsfI7DPFDpcmSqbGi/54BSAGfqPcbHCsCgfxW4n9Az2MbsI22JSnLA+o0lb
         gtgw==
X-Gm-Message-State: ANoB5pkxG1BsXxwz0IYpvZhu4JuTI/rmkyjGma7ww5y3jQSHqWkZmoqG
        uWA+eQEbDlExM/jSiPqwKgrs15JJB20=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a62:be08:0:b0:574:26df:aac2 with SMTP id
 l8-20020a62be08000000b0057426dfaac2mr75812545pff.46.1670912590322; Mon, 12
 Dec 2022 22:23:10 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Tue, 13 Dec 2022 06:23:03 +0000
In-Reply-To: <20221213062306.667649-1-seanjc@google.com>
Mime-Version: 1.0
References: <20221213062306.667649-1-seanjc@google.com>
X-Mailer: git-send-email 2.39.0.rc1.256.g54fd8350bd-goog
Message-ID: <20221213062306.667649-2-seanjc@google.com>
Subject: [PATCH v2 1/4] KVM: nVMX: Properly expose ENABLE_USR_WAIT_PAUSE
 control to L1
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Aaron Lewis <aaronlewis@google.com>,
        Yu Zhang <yu.c.zhang@linux.intel.com>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1752079050426782764?=
X-GMAIL-MSGID: =?utf-8?q?1752079050426782764?=

Set ENABLE_USR_WAIT_PAUSE in KVM's supported VMX MSR configuration if the
feature is supported in hardware and enabled in KVM's base, non-nested
configuration, i.e. expose ENABLE_USR_WAIT_PAUSE to L1 if it's supported.
This fixes a bug where saving/restoring, i.e. migrating, a vCPU will fail
if WAITPKG (the associated CPUID feature) is enabled for the vCPU, and
obviously allows L1 to enable the feature for L2.

KVM already effectively exposes ENABLE_USR_WAIT_PAUSE to L1 by stuffing
the allowed-1 control ina vCPU's virtual MSR_IA32_VMX_PROCBASED_CTLS2 when
updating secondary controls in response to KVM_SET_CPUID(2), but (a) that
depends on flawed code (KVM shouldn't touch VMX MSRs in response to CPUID
updates) and (b) runs afoul of vmx_restore_control_msr()'s restriction
that the guest value must be a strict subset of the supported host value.

Although no past commit explicitly enabled nested support for WAITPKG,
doing so is safe and functionally correct from an architectural
perspective as no additional KVM support is needed to virtualize TPAUSE,
UMONITOR, and UMWAIT for L2 relative to L1, and KVM already forwards
VM-Exits to L1 as necessary (commit bf653b78f960, "KVM: vmx: Introduce
handle_unexpected_vmexit and handle WAITPKG vmexit").

Note, KVM always keeps the hosts MSR_IA32_UMWAIT_CONTROL resident in
hardware, i.e. always runs both L1 and L2 with the host's power management
settings for TPAUSE and UMWAIT.  See commit bf09fb6cba4f ("KVM: VMX: Stop
context switching MSR_IA32_UMWAIT_CONTROL") for more details.

Fixes: e69e72faa3a0 ("KVM: x86: Add support for user wait instructions")
Cc: stable@vger.kernel.org
Reported-by: Aaron Lewis <aaronlewis@google.com>
Reported-by: Yu Zhang <yu.c.zhang@linux.intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
---
 arch/x86/kvm/vmx/nested.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index b6f4411b613e..d131375f347a 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -6873,7 +6873,8 @@ void nested_vmx_setup_ctls_msrs(struct vmcs_config *vmcs_conf, u32 ept_caps)
 		SECONDARY_EXEC_ENABLE_INVPCID |
 		SECONDARY_EXEC_RDSEED_EXITING |
 		SECONDARY_EXEC_XSAVES |
-		SECONDARY_EXEC_TSC_SCALING;
+		SECONDARY_EXEC_TSC_SCALING |
+		SECONDARY_EXEC_ENABLE_USR_WAIT_PAUSE;
 
 	/*
 	 * We can emulate "VMCS shadowing," even if the hardware

From patchwork Tue Dec 13 06:23:04 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 32652
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp2662052wrr;
        Mon, 12 Dec 2022 22:25:34 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf4171x+HNfcYwUBGB+P+xeo7ISozeDGjKrD0K/TEqW1ema9VY3GJ+6mI1LurYk1EMFU4Ito
X-Received: by 2002:a17:906:4b04:b0:7c1:2075:199a with SMTP id
 y4-20020a1709064b0400b007c12075199amr14820705eju.76.1670912734439;
        Mon, 12 Dec 2022 22:25:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670912734; cv=none;
        d=google.com; s=arc-20160816;
        b=hQnkv1uRctBimCUh7TX0pQN+Iw3PZZmpx+S2fnQZli/7q2ivEXVQ6Xd5tYyzuP28p8
         BZ4893BzbjKvLci99vDqmT73akgl9NzjBL4EuU/WYCIdw0mxmqoacVCRNCkuuMZS1W6g
         7uF6WQCSuINoi5coer4LA+hWgAPde4xC6vsuVhfIiKhwed/FI6UBd6SbUcGbh2ihSieq
         qONWyEHu13CSzPLVda291cgbCeB2CheLmjr1mN+9j4CW+hc1gp9xkKIsUzjgL7Sg4gW3
         p0JyvKlMs8LHHxHE0H/tfYA4HTSt8ppKPZdsn2/KXmb6zGXo9v84Ary/AQymVG035F6R
         Uwmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:reply-to:dkim-signature;
        bh=xpAFKvB8lvIQpaVxTS6tufVVMA31FNLaaXAC6TQTGY0=;
        b=nIwERHufjDjGgTzjTDksgVIv1e5YmbFZ/jsoIdsafsRp/uSMRpR6x0i9zV5ay7M/wq
         4Dv3ybHMG77ELvMhhAv7oIaCuB6K+Sq8WV9tOs/b4xmK/wv1GsT/Hxl3xPjCokDSsBL1
         u/Wq9l07kxj1EB52n7jr3D6/hRIBqqFc2qCFF3lkeosFmjxk/CX1K4tEfbUX/1pN+o59
         N/zTPu3GUHqUQsR/W6lLOgD8lCpuPDgCbMv8TN9gIKT5Bad85VomF7UaJGtJpvDEb1XN
         JhBR1HhycB9aN1Ieqk66s5WtVZNTQH2krRzekXSl5pzcZSqwwUV8PpUQ6FFxFJe0pNat
         cubw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=oFGD4qRN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 hc32-20020a17090716a000b0073866c0672asi8696764ejc.73.2022.12.12.22.25.11;
        Mon, 12 Dec 2022 22:25:34 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=oFGD4qRN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234583AbiLMGX1 (ORCPT <rfc822;jeantsuru.cumc.mandola@gmail.com>
        + 99 others); Tue, 13 Dec 2022 01:23:27 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54820 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234525AbiLMGXP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Dec 2022 01:23:15 -0500
Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com
 [IPv6:2607:f8b0:4864:20::1049])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 820001EC5D
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Dec 2022 22:23:12 -0800 (PST)
Received: by mail-pj1-x1049.google.com with SMTP id
 v16-20020a17090a899000b00219b1f0ddebso1654545pjn.5
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Dec 2022 22:23:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=xpAFKvB8lvIQpaVxTS6tufVVMA31FNLaaXAC6TQTGY0=;
        b=oFGD4qRNRi6VXtY0kRe7eFrSaArJEW4f+KOHPxB3gKalas9/u/awxp+QVtZ9r1SbUQ
         9rbjEb04snoOV3Ev+Ujjtn0J8/qaA1dbERaKg0+gqnkuDLD+thmjG/uq7lIlIC2jlu5w
         keKmJRcSVKn3s8MrN6bx4OLfvRjhSB8UizV/T2TWovz2mI/AbzkePdSfgD7gTBk2EeoW
         P6nV934lstf8TrEpliFRBMLQtYCZGSkPRZ3XrHS0M9s8cQ3FnaIfDZQ3GirqdfUPBBPX
         dsc22tm77I5APAXxVR7jzWnqQ5AuhYyT6BsJzi9BBhCXSq55ZrN7Y0AgYMykha+PbVzU
         CFFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=xpAFKvB8lvIQpaVxTS6tufVVMA31FNLaaXAC6TQTGY0=;
        b=jutMGjaztmqWitqmKgLb5tDv9K4Katr8Jdi9o9BIOdBQiWz9GwEDGZnvz1+Vb8zj23
         vHyafV1wCR8Rz0w7kXXsBub2r9Tj95Uc9rrIJEzNoQV3hdq0ykmuNiBBhKjAliKtq4ni
         Znqk9ua5tOCo5ACLVSsnrrZyxav2F0BtjLAYjxnXPcCWqo5rHzNRBr7vyTaoIG4wrh9K
         +8O4SJ13brcud+aBYWCTvhme+wpicdaga3O/6NMZeO4+bU2MO+Bb6fJPwvtkXkW2gP2u
         ttv8gQKAwgAXL4/XrVYhgAFIOxDDbKWNAXIqtoppgU4SreL00Gxw20eqMBFbqfH23MB8
         Xacg==
X-Gm-Message-State: ANoB5pmzEpSkIjy5O/po2DEpdJoZlW8+/DjA0J5H4TuVyXlSrUcHOgc2
        dnM/zeO/f6tNG6clm1/pVUbSgUmDZSU=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a62:e402:0:b0:577:62a8:f7a1 with SMTP id
 r2-20020a62e402000000b0057762a8f7a1mr9037249pfh.2.1670912592063; Mon, 12 Dec
 2022 22:23:12 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Tue, 13 Dec 2022 06:23:04 +0000
In-Reply-To: <20221213062306.667649-1-seanjc@google.com>
Mime-Version: 1.0
References: <20221213062306.667649-1-seanjc@google.com>
X-Mailer: git-send-email 2.39.0.rc1.256.g54fd8350bd-goog
Message-ID: <20221213062306.667649-3-seanjc@google.com>
Subject: [PATCH v2 2/4] KVM: nVMX: Don't stuff secondary execution control if
 it's not supported
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Aaron Lewis <aaronlewis@google.com>,
        Yu Zhang <yu.c.zhang@linux.intel.com>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1752078991251505125?=
X-GMAIL-MSGID: =?utf-8?q?1752078991251505125?=

When stuffing the allowed secondary execution controls for nested VMX in
response to CPUID updates, don't set the allowed-1 bit for a feature that
isn't supported by KVM, i.e. isn't allowed by the canonical vmcs_config.

WARN if KVM attempts to manipulate a feature that isn't supported.  All
features that are currently stuffed are always advertised to L1 for
nested VMX if they are supported in KVM's base configuration, and no
additional features should ever be added to the CPUID-induced stuffing
(updating VMX MSRs in response to CPUID updates is a long-standing KVM
flaw that is slowly being fixed).

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/vmx.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index fe5615fd8295..13d3f5eb4c32 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4459,6 +4459,16 @@ vmx_adjust_secondary_exec_control(struct vcpu_vmx *vmx, u32 *exec_control,
 	 * controls for features that are/aren't exposed to the guest.
 	 */
 	if (nested) {
+		/*
+		 * All features that got grandfathered into KVM's flawed CPUID-
+		 * induced manipulation of VMX MSRs are unconditionally exposed
+		 * to L1 if the feature is supported by KVM (for nested).  I.e.
+		 * KVM should never attempt to stuff a feature that isn't
+		 * already exposed to L1 for nested virtualization.
+		 */
+		if (WARN_ON_ONCE(!(vmcs_config.nested.secondary_ctls_high & control)))
+			enabled = false;
+
 		if (enabled)
 			vmx->nested.msrs.secondary_ctls_high |= control;
 		else

From patchwork Tue Dec 13 06:23:05 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 32651
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp2662032wrr;
        Mon, 12 Dec 2022 22:25:31 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf5BIz56AWvthlVEl++Jj+mQFpoTiTqC7Hw10uQDvyxmfl3dlykMZTPYaOZiL2Nqi+KRLot3
X-Received: by 2002:a17:906:a057:b0:79d:e7d3:4bc8 with SMTP id
 bg23-20020a170906a05700b0079de7d34bc8mr16014891ejb.54.1670912731825;
        Mon, 12 Dec 2022 22:25:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670912731; cv=none;
        d=google.com; s=arc-20160816;
        b=FPgztcFaOHvJkmv5iEvX1XgdHaIH79/m3Ht4rgyOj52tReBJjnLrXAWUkNnAOOg3kC
         lOARKce33qBxDQLd4u2GDiDrYLouZ9a6p+6lxV9Igi+foYdSt0J2OGS9nxc8RIWLetQ3
         pWHojcs97ojCtbwE3HHDLkN19+5dVmqETzD3EcnI40jprAeVFuu9hWBgYkaoZHntJrxa
         q3f6QVXRE8TYv5YroK+CQdXogb4jdlvz6g1QGBRm6srMyCSR/efi1Y8hYPXNr/w1oA0O
         N60qqvhjPw4fTKhpvNfj5yYvRCP/OSUJDBi9ILKod4IQYypFWysCKX9slMfV9cx66tLi
         0yfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:reply-to:dkim-signature;
        bh=zBUvBTND7Qb+8AkTIHs8rpB4FKmhZMCK3qWfQPPeOpc=;
        b=hhr3jZmXPsnv3eYHNFUK+bobOCSU7YYuo0kABn7m5FscPg+tZcIvjHmqctKbm6dY+z
         ZH9+c/ZjXTzMLQQp8/Fsk5DbjvojMAgCoxTK+r8/+QCnLHKXDj1tTyyQTQPIRFnJlP9U
         VSZaeL92YFWbi6IHaVvxFkrb54YgXSiHWulER5lzqSGzQTZG1p7BMrRsmkBZLLgw073P
         lEsUGYCRIIxfk1kdGe4pZLOdBz6SODmda82tDN/a/nQk9E9dz9JopVJ4TJhFSwMEaBxl
         ExrLtUTHQ4/fC7Lbp2vX+An77QOp148i7FPqXsEUKD7d+AmgTr9CJMcuDVMnQkcokAWc
         KVCw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=e6C6OFLO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 t8-20020a170906948800b007c0889e324esi6291851ejx.366.2022.12.12.22.25.07;
        Mon, 12 Dec 2022 22:25:31 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=e6C6OFLO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234530AbiLMGXX (ORCPT <rfc822;jeantsuru.cumc.mandola@gmail.com>
        + 99 others); Tue, 13 Dec 2022 01:23:23 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54890 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234526AbiLMGXP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Dec 2022 01:23:15 -0500
Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com
 [IPv6:2607:f8b0:4864:20::649])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0EFC1EC77
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Dec 2022 22:23:13 -0800 (PST)
Received: by mail-pl1-x649.google.com with SMTP id
 n5-20020a170902d2c500b00189e5b86fe2so12395929plc.16
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Dec 2022 22:23:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=zBUvBTND7Qb+8AkTIHs8rpB4FKmhZMCK3qWfQPPeOpc=;
        b=e6C6OFLOb8WPWhN4v2ULSzWrbjXx56ED4i5lMniYzFZp7iU3GKnhN/XE9SJhra6oAu
         4M6IVE6RT6irQ3FusAwo03VBo8RoBsEhfrG/JVYMjeMh4cRWTLI0MeGa60/EL9J1a6WI
         H9VjDdo11T3r9/r19L1LpaRIQy7Rqli6DwWd8P+ey0p6Xj3ykK8hGAGIWDqN/0DqTUpv
         qLZe1+yrvhEYd/D/lrAq0auvklLbq9H443bCbmTaRU0iWp7tZqDiB84bctRqvvJv86xU
         J3rIlUEdsPBlx5Rg9jUArb7oZMNgi3YAy9X2YQyfWZtxIITo+NpSTbt1kkWCv0MiaCJt
         vk4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=zBUvBTND7Qb+8AkTIHs8rpB4FKmhZMCK3qWfQPPeOpc=;
        b=ducbsVSgzbUjzuWIW6JBef+PBwTfIJ6jUshlzK6SpmF4Xq7EUfeBsUTCtT0FSYqv2g
         l3w/xp9KhKfDqzzeFM8V2LuCs4TMvH6tyoVvQHDbZsTL0xxk6C7rBoUvWXeOYaJwWGkr
         5yPt3LXdPU3aFl64p+nSESqS6F/+2Qd3wbBrnaSQU9kqSEoWcy5KpASSTC0W7VoDrDsj
         AqZvp2+HhDGIM0LThPvhQgNW9ug9FOlkvK0bUvWRZUHmtqp6m6ROXxSYrAZ6auzt1qQF
         B+G0T/TrvlnWMY9m2lKn+RUIhWZVArzuXJclBgd7aY+bYW8GQLXzO2tEVtMZDl0FKDqV
         9rUQ==
X-Gm-Message-State: ANoB5pm0jEX3lkn28nLmF9IL8Dr1zHnM/X5KKQK25T5TOUh3s8vcJheX
        thxcUNpDV3Ebrjxa7m3Pk6NylRpNOOQ=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a62:2785:0:b0:576:bb84:7b50 with SMTP id
 n127-20020a622785000000b00576bb847b50mr22811996pfn.71.1670912593481; Mon, 12
 Dec 2022 22:23:13 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Tue, 13 Dec 2022 06:23:05 +0000
In-Reply-To: <20221213062306.667649-1-seanjc@google.com>
Mime-Version: 1.0
References: <20221213062306.667649-1-seanjc@google.com>
X-Mailer: git-send-email 2.39.0.rc1.256.g54fd8350bd-goog
Message-ID: <20221213062306.667649-4-seanjc@google.com>
Subject: [PATCH v2 3/4] KVM: nVMX: Don't muck with allowed sec exec controls
 on CPUID changes
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Aaron Lewis <aaronlewis@google.com>,
        Yu Zhang <yu.c.zhang@linux.intel.com>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1752078988636602253?=
X-GMAIL-MSGID: =?utf-8?q?1752078988636602253?=

Don't modify the set of allowed secondary execution controls, i.e. the
virtual MSR_IA32_VMX_PROCBASED_CTLS2, in response to guest CPUID changes.
To avoid breaking old userspace that never sets the VMX MSRs, i.e. relies
on KVM to provide a consistent vCPU model, keep the existing behavior if
userspace has never written MSR_IA32_VMX_PROCBASED_CTLS2.

KVM should not modify the VMX capabilities presented to L1 based on CPUID
as doing so may discard explicit settings provided by userspace.  E.g. if
userspace does KVM_SET_MSRS => KVM_SET_CPUID and disables a feature in
the VMX MSRs but not CPUID (to prevent exposing the feature to L2), then
stuffing the VMX MSRs during KVM_SET_CPUID will expose the feature to L2
against userspace's wishes.

Alternatively, KVM could add a quirk, but that's less than ideal as a VMM
that is affected by the bug would need to be updated in order to opt out
of the buggy behavior.  The "has the MSR ever been written" logic handles
both the care where an enlightened userspace sets the MSR during setup,
and the case where userspace blindly migrates the MSR, as the migrated
value will already have been sanitized by the source KVM.

Reported-by: Yu Zhang <yu.c.zhang@linux.intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/capabilities.h | 1 +
 arch/x86/kvm/vmx/nested.c       | 3 +++
 arch/x86/kvm/vmx/vmx.c          | 7 +++++--
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx/capabilities.h b/arch/x86/kvm/vmx/capabilities.h
index cd2ac9536c99..7b08d6006f52 100644
--- a/arch/x86/kvm/vmx/capabilities.h
+++ b/arch/x86/kvm/vmx/capabilities.h
@@ -51,6 +51,7 @@ struct nested_vmx_msrs {
 	u64 cr4_fixed1;
 	u64 vmcs_enum;
 	u64 vmfunc_controls;
+	bool secondary_set_by_userspace;
 };
 
 struct vmcs_config {
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index d131375f347a..0140893412b7 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -1271,6 +1271,9 @@ vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
 	if (!is_bitwise_subset(supported, data, GENMASK_ULL(63, 32)))
 		return -EINVAL;
 
+	if (msr_index == MSR_IA32_VMX_PROCBASED_CTLS2)
+		vmx->nested.msrs.secondary_set_by_userspace = true;
+
 	vmx_get_control_msr(&vmx->nested.msrs, msr_index, &lowp, &highp);
 	*lowp = data;
 	*highp = data >> 32;
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 13d3f5eb4c32..dd0247bc7193 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4456,9 +4456,12 @@ vmx_adjust_secondary_exec_control(struct vcpu_vmx *vmx, u32 *exec_control,
 
 	/*
 	 * Update the nested MSR settings so that a nested VMM can/can't set
-	 * controls for features that are/aren't exposed to the guest.
+	 * controls for features that are/aren't exposed to the guest.  Stuff
+	 * the MSR if and only if userspace hasn't explicitly set the MSR, i.e.
+	 * to avoid ABI breakage if userspace might be relying on KVM's flawed
+	 * behavior to expose features to L1.
 	 */
-	if (nested) {
+	if (nested && !vmx->nested.msrs.secondary_set_by_userspace) {
 		/*
 		 * All features that got grandfathered into KVM's flawed CPUID-
 		 * induced manipulation of VMX MSRs are unconditionally exposed

From patchwork Tue Dec 13 06:23:06 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 32654
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp2662624wrr;
        Mon, 12 Dec 2022 22:27:33 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf645moDzIhAfDR1HjrpCXl8Gy3Bdc8b6ORnGJ0OUT/hUy96MEOWzaGZs1JQCHhNhjbhSA6k
X-Received: by 2002:a17:906:7a5b:b0:7c0:e5c6:2a6d with SMTP id
 i27-20020a1709067a5b00b007c0e5c62a6dmr15264649ejo.39.1670912853759;
        Mon, 12 Dec 2022 22:27:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670912853; cv=none;
        d=google.com; s=arc-20160816;
        b=hKnJTVfG64ONYdtB3KP7YMiUdIYoEH6vZAUht2QFIl1incD3NQmA9JEwWi+c+vY1N+
         7Y3La0aykVH2hKyZ6lY/ZbY/8KZGK3hlB87ynYMOxjvdtLatpgIjipNQHNrJZeIuhASd
         sS3eqhZCMEfbS1OGpG8C9rG+kj32paUxMYgHY1B1fsGTnxjvFgYRrcFS0ioNFvXp11ES
         uV9R051dRbP53q5lv+eRyRzIJRlLbNFd6byuOipLFtIN6ofLbB/vtd5xqkurJ4aI6O3S
         S1JaaFkwv+HNMiM8dojPcge4joZmYx20mDiMq66FoJ21oavcf/hare1/1PUjk8UWURFm
         e4rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:reply-to:dkim-signature;
        bh=aMfkf9JaTWq5ygn/doKop4uBuUwmfEjATXtS7I7e5VQ=;
        b=ghqvWMzhsjvgRlWNZVkeJGIrXU7ZF8lYLPukMg5dOQrU2B/7anoHmpv5dDLlySXfCC
         vrEWosWxJhpEoO/a9tdxZTADshM05zCY36UrydSktvRgabDQx8B8JoSfPN1sVEjIKmvv
         Oxfa2NUgCn49Qz6eWis+p7gmPQtGtWrg+VbhxfoielU/lwOaZNpjpixb0n+1UB40WR8+
         PRvHOUhgN1iY//Q29HDmR6p62UbvvW8vaYcsCNqYOon/oSrtjjfonfnEOhRd2HBvk0rY
         5fy0eZ5nmlErRbf1DwR0tm/07CZl0J8H2Yfjvt2dHi/m2UMwC+BPU6KPGBtdHtt06V3u
         yn1w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b="s97a/Lk7";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 xd12-20020a170907078c00b007a835c56b70si7031143ejb.267.2022.12.12.22.27.10;
        Mon, 12 Dec 2022 22:27:33 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b="s97a/Lk7";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234587AbiLMGXd (ORCPT <rfc822;jeantsuru.cumc.mandola@gmail.com>
        + 99 others); Tue, 13 Dec 2022 01:23:33 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54844 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234512AbiLMGXR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Dec 2022 01:23:17 -0500
Received: from mail-pf1-x44a.google.com (mail-pf1-x44a.google.com
 [IPv6:2607:f8b0:4864:20::44a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 87E9E12AE5
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Dec 2022 22:23:15 -0800 (PST)
Received: by mail-pf1-x44a.google.com with SMTP id
 a18-20020a62bd12000000b0056e7b61ec78so1428701pff.17
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Dec 2022 22:23:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=aMfkf9JaTWq5ygn/doKop4uBuUwmfEjATXtS7I7e5VQ=;
        b=s97a/Lk7hPNNVD2nMqMABrZAVCXthbLWAJGKp3IKXCJGZTGLf9R9WB7GIys4E8E/n8
         P194pOmFHiAi4gP/eJ0dbaE1uxWT+iV8Cu5zfSAt8U/EO1iawGvOMIpDMXgJS5qHOWeC
         LpzANdeH5zLAXcYs8B3pbPsXvdnPmHPUR8zuvtDcfzOsd3VxgKSeGMANPnTRrXe7gmLI
         D5ofevcfrbl/IMha46u4fBvw/BzB36U/cJjzsBfqfqr+JsAdz0/vgmBwGa/h+n9yip66
         Gd1oXGa8On1HuWaAf1AnhRSbbsZ4TBES61UZolz4IdV1LrgMdWEHIyXqYyRtpbakFvn8
         C5AQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=aMfkf9JaTWq5ygn/doKop4uBuUwmfEjATXtS7I7e5VQ=;
        b=mUQ+OTm4QH3PLNx2Oayt1aDZ0DdDozA4Idi/YtGtpE1vrIfZyPV630uMT8TVWsyCPy
         R/OvsEsBjAb71PtGgRhUYFclNpkQpiPFimOfa57+LENqD6Ah/xIdxd6v+cuGTfv7dQP+
         IeaEX0Zq9iy/4my4lZn988L9JdIQ6NpAW7QCA8ggpa8D3fUHuwpzeZBsXxd5W0s8MkE1
         A/qEIFCcashrDLhI0ZgthszsLLNtaM3mwdsgBgzI/8mlStmkSHxVbJdHqBaLuYN+XnFe
         t7QQjosanWGmzZxxNc8x59GJFDbXe86dQBQqueHLvGMx8HAG+7dFkthiF3udV5PzOD/J
         cPEA==
X-Gm-Message-State: ANoB5pkZT/xX06grWvErQlVdLlcN4Qym5SMFmOu+3p7JptxvnW99+ZkU
        gJZ+PRP+1CsGghEk0t+3AgZBSwBGZo4=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:aa7:9ecb:0:b0:576:fa16:80e0 with SMTP id
 r11-20020aa79ecb000000b00576fa1680e0mr18843852pfq.64.1670912595091; Mon, 12
 Dec 2022 22:23:15 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Tue, 13 Dec 2022 06:23:06 +0000
In-Reply-To: <20221213062306.667649-1-seanjc@google.com>
Mime-Version: 1.0
References: <20221213062306.667649-1-seanjc@google.com>
X-Mailer: git-send-email 2.39.0.rc1.256.g54fd8350bd-goog
Message-ID: <20221213062306.667649-5-seanjc@google.com>
Subject: [PATCH v2 4/4] KVM: selftests: Test KVM's handling of VMX's sec exec
 MSR on KVM_SET_CPUID
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Aaron Lewis <aaronlewis@google.com>,
        Yu Zhang <yu.c.zhang@linux.intel.com>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1752079116472000925?=
X-GMAIL-MSGID: =?utf-8?q?1752079116472000925?=

Verify that KVM does, and does not, modify the allowed set of VMX's
secondary execution controls during KVM_SET_CPUID.  Historically, KVM has
modified select bits in response to guest CPUID changes to try and force
a consistent CPU model.  KVM's meddling causes problems if userspace
invokes KVM_SET_CPUID after explicitly setting the MSR, as KVM may end up
overriding a legal userspace config.

Newer, fixed KVM versions maintain the historical meddling for backwards
compatibility, but only if userspace has never set the MSR for the vCPU.
I.e. KVM transfers ownership to userspace on the first write.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 .../selftests/kvm/include/x86_64/processor.h  |  1 +
 .../selftests/kvm/include/x86_64/vmx.h        |  4 +-
 .../selftests/kvm/x86_64/vmx_msrs_test.c      | 92 +++++++++++++++++++
 3 files changed, 95 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/kvm/include/x86_64/processor.h b/tools/testing/selftests/kvm/include/x86_64/processor.h
index b1a31de7108a..9314a06f56d3 100644
--- a/tools/testing/selftests/kvm/include/x86_64/processor.h
+++ b/tools/testing/selftests/kvm/include/x86_64/processor.h
@@ -109,6 +109,7 @@ struct kvm_x86_cpu_feature {
 #define	X86_FEATURE_INVPCID		KVM_X86_CPU_FEATURE(0x7, 0, EBX, 10)
 #define	X86_FEATURE_RTM			KVM_X86_CPU_FEATURE(0x7, 0, EBX, 11)
 #define	X86_FEATURE_MPX			KVM_X86_CPU_FEATURE(0x7, 0, EBX, 14)
+#define X86_FEATURE_RDSEED		KVM_X86_CPU_FEATURE(0x7, 0, EBX, 18)
 #define	X86_FEATURE_SMAP		KVM_X86_CPU_FEATURE(0x7, 0, EBX, 20)
 #define	X86_FEATURE_PCOMMIT		KVM_X86_CPU_FEATURE(0x7, 0, EBX, 22)
 #define	X86_FEATURE_CLFLUSHOPT		KVM_X86_CPU_FEATURE(0x7, 0, EBX, 23)
diff --git a/tools/testing/selftests/kvm/include/x86_64/vmx.h b/tools/testing/selftests/kvm/include/x86_64/vmx.h
index 5f0c0a29c556..b66661ba28c8 100644
--- a/tools/testing/selftests/kvm/include/x86_64/vmx.h
+++ b/tools/testing/selftests/kvm/include/x86_64/vmx.h
@@ -61,8 +61,8 @@
 #define SECONDARY_EXEC_SHADOW_VMCS		0x00004000
 #define SECONDARY_EXEC_RDSEED_EXITING		0x00010000
 #define SECONDARY_EXEC_ENABLE_PML		0x00020000
-#define SECONDARY_EPT_VE			0x00040000
-#define SECONDARY_ENABLE_XSAV_RESTORE		0x00100000
+#define SECONDARY_EXEC_EPT_VE			0x00040000
+#define SECONDARY_EXEC_ENABLE_XSAVES		0x00100000
 #define SECONDARY_EXEC_TSC_SCALING		0x02000000
 
 #define PIN_BASED_EXT_INTR_MASK			0x00000001
diff --git a/tools/testing/selftests/kvm/x86_64/vmx_msrs_test.c b/tools/testing/selftests/kvm/x86_64/vmx_msrs_test.c
index 90720b6205f4..d7b1a72a8912 100644
--- a/tools/testing/selftests/kvm/x86_64/vmx_msrs_test.c
+++ b/tools/testing/selftests/kvm/x86_64/vmx_msrs_test.c
@@ -12,6 +12,96 @@
 #include "kvm_util.h"
 #include "vmx.h"
 
+static void vmx_sec_exec_assert_allowed(struct kvm_vcpu *vcpu,
+					const char *name, uint64_t ctrl)
+{
+	TEST_ASSERT(vcpu_get_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2) & ctrl,
+		    "Expected '%s' to be allowed in sec exec controls", name);
+}
+
+static void vmx_sec_exec_assert_denied(struct kvm_vcpu *vcpu,
+				       const char *name, uint64_t ctrl)
+{
+	TEST_ASSERT(!(vcpu_get_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2) & ctrl),
+		    "Expected '%s' to be denied in sec exec controls", name);
+}
+
+static void vmx_sec_exec_control_test(struct kvm_vcpu *vcpu,
+				      const char *name,
+				      struct kvm_x86_cpu_feature feature,
+				      uint64_t ctrl, bool kvm_owned)
+{
+	/* Allowed-1 settings are in the upper 32 bits. */
+	ctrl <<= 32;
+
+	if (!this_cpu_has(feature))
+		return;
+
+	if (kvm_owned) {
+		vcpu_set_cpuid_feature(vcpu, feature);
+		vmx_sec_exec_assert_allowed(vcpu, name, ctrl);
+
+		vcpu_clear_cpuid_feature(vcpu, feature);
+		vmx_sec_exec_assert_denied(vcpu, name, ctrl);
+
+		/* Make sure KVM is actually toggling the bit. */
+		vcpu_set_cpuid_feature(vcpu, feature);
+		vmx_sec_exec_assert_allowed(vcpu, name, ctrl);
+	} else {
+		vcpu_set_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2,
+			     vcpu_get_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2) | ctrl);
+		vmx_sec_exec_assert_allowed(vcpu, name, ctrl);
+
+		vcpu_set_cpuid_feature(vcpu, feature);
+		vmx_sec_exec_assert_allowed(vcpu, name, ctrl);
+
+		vcpu_clear_cpuid_feature(vcpu, feature);
+		vmx_sec_exec_assert_allowed(vcpu, name, ctrl);
+
+		vcpu_set_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2,
+			     vcpu_get_msr(vcpu, MSR_IA32_VMX_PROCBASED_CTLS2) & ~ctrl);
+		vmx_sec_exec_assert_denied(vcpu, name, ctrl);
+
+		vcpu_set_cpuid_feature(vcpu, feature);
+		vmx_sec_exec_assert_denied(vcpu, name, ctrl);
+
+		vcpu_clear_cpuid_feature(vcpu, feature);
+		vmx_sec_exec_assert_denied(vcpu, name, ctrl);
+	}
+}
+
+#define vmx_sec_exec_feature_test(vcpu, name, kvm_owned)			\
+	vmx_sec_exec_control_test(vcpu, #name, X86_FEATURE_##name,		\
+				  SECONDARY_EXEC_ENABLE_##name, kvm_owned)
+
+#define vmx_sec_exec_exiting_test(vcpu, name, kvm_owned)			\
+	vmx_sec_exec_control_test(vcpu, #name, X86_FEATURE_##name,		\
+				  SECONDARY_EXEC_##name##_EXITING, kvm_owned)
+
+static void vmx_sec_exec_controls_test(struct kvm_vcpu *vcpu)
+{
+	int i;
+
+	if (this_cpu_has(X86_FEATURE_XSAVE))
+		vcpu_set_cpuid_feature(vcpu, X86_FEATURE_XSAVE);
+
+	if (this_cpu_has(X86_FEATURE_RDPID))
+		vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_RDPID);
+
+	/*
+	 * Verify that for features KVM has historically taken control of, KVM
+	 * updates PROCBASED_CTLS2 during KVM_SET_CPUID if userspace has never
+	 * set the MSR, but leaves it alone once userspace writes the MSR.
+	 */
+	for (i = 0; i < 2; i++) {
+		vmx_sec_exec_feature_test(vcpu, XSAVES, !i);
+		vmx_sec_exec_feature_test(vcpu, RDTSCP, !i);
+		vmx_sec_exec_feature_test(vcpu, INVPCID, !i);
+		vmx_sec_exec_exiting_test(vcpu, RDRAND, !i);
+		vmx_sec_exec_exiting_test(vcpu, RDSEED, !i);
+	}
+}
+
 static void vmx_fixed1_msr_test(struct kvm_vcpu *vcpu, uint32_t msr_index,
 				  uint64_t mask)
 {
@@ -124,6 +214,8 @@ int main(void)
 	/* No need to actually do KVM_RUN, thus no guest code. */
 	vm = vm_create_with_one_vcpu(&vcpu, NULL);
 
+	vmx_sec_exec_controls_test(vcpu);
+
 	vmx_save_restore_msrs_test(vcpu);
 	ia32_feature_control_msr_test(vcpu);